what I propose is to add a few lines of documentation explaining the process of switching between different policy types (see the two patches below, one for load_policy and the other for the reference policy).

diff -pru policycoreutils-2.0.77/load_policy/load_policy.8 policycoreutils-2.0.77-new/load_policy/load_policy.8
--- policycoreutils-2.0.77/load_policy/load_policy.8 2009-11-19 23:16:03.000000000 +0100
+++ policycoreutils-2.0.77-new/load_policy/load_policy.8 2010-01-26 16:26:11.210178317 +0100
@@ -12,6 +12,11 @@ load_policy loads the installed policy f
The existing policy boolean values are automatically preserved
across policy reloads rather than being reset to the default
values in the policy file.
+.PP+It should be noted that it is not possible to switch between+a non-MLS/MCS policy and a MLS/MCS policy or viceversa at+runtime. To switch between such different types of policies+change the SELinux configuration and reboot the kernel.

.SH "OPTIONS"
.TP

diff -pru refpolicy-2.20091117/README refpolicy-2.20091117-new/README
--- refpolicy-2.20091117/README 2009-07-14 14:24:46.000000000 +0200
+++ refpolicy-2.20091117-new/README 2010-01-26 16:39:13.272185609 +0100
@@ -267,3 +267,14 @@ refresh Attempts to reinsert all modul
xml Build a policy.xml from the XML included with the
base policy headers and any XML in the modules in
the current directory.
++5) Switching between different types of policies (e.g. from non-MLS to MLS)++In order to switch from a non-MLS/non-MCS policy to a MLS or MCS policy+(and viceversa), make sure to change in build.conf not only the TYPE+parameter between the two policies but also the NAME parameter (just name+the new policy differently from the previous one). Also, after building the+new policy, in order to load it for the first time (and eventually install+custom modules), it might be necessary to reboot the kernel in permissive+mode (after having changed the SELinux configuration file to select the+new policy).

Regards,

Guido

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.